Peer-reviewed research papers

To appear in Proc. ACM Conference on Human
Factors in Computing Systems (CHI ’19), May 2019

HTTPS and TLS are the backbone of Internet security, however
setting up web servers to run these protocols is a notoriously
difficult process. In this paper, we perform two live subjects
usability studies on the deployment of HTTPS in a real-world
setting. Study 1 is a within subjects comparison between
traditional HTTPS configuration (purchasing a certificate and
installing it on a server) and Let’s Encrypt, which automates
much of the process. Study 2 is a between subjects study looking
at the same two systems, examining why users encounter usability
issues. Overall we confirm past results that HTTPS is difficult
to deploy, and we find some evidence that suggests Let’s Encrypt
is an easier, more efficient method for deploying HTTPS.

To appear in Proc. 4th Workshop on Advances in Secure Electronic Voting (Voting ’19), February 2019

We present a method and software for ballot-polling
risk-limiting audits (RLAs) based on Bernoulli sampling: ballots
are included in the sample with probability p,
independently. Bernoulli sampling has several advantages: (1) it
does not require a ballot manifest; (2) it can be conducted
independently at different locations, rather than requiring a
central authority to select the sample from the whole population
of cast ballots or requiring stratified sampling; (3) it can
start in polling places on election night, before margins are
known. If the reported margins for the 2016 U.S. Presidential
election are correct, a Bernoulli ballot-polling audit with a
risk limit of 5% and a sampling rate of p0=1% would have had at
least a 99% probability of confirming the outcome in 42
states. (The other states were more likely to have needed to
examine additional ballots.) Logistical and security advantages
that auditing in the polling place affords may outweigh the cost
of examining more ballots than some other methods might require.

We report the first wide-scale measurement study of serverside
geographic restriction, or geoblocking, a phenomenon in which server
operators intentionally deny access to users from particular countries
or regions. Many sites practice geoblocking due to legal requirements
or other business reasons, but excessive blocking can needlessly deny
valuable content and services to entire national populations.

To help researchers and policymakers understand this phenomenon,
we develop a semi-automated system to detect instances where whole
websites were rendered inaccessible due to geoblocking. By focusing on
detecting geoblocking capabilities offered by large CDNs and cloud
providers, we can reliably distinguish the practice from dynamic
anti-abuse mechanisms and network-based censorship. We apply our
techniques to test for geoblocking across the Alexa Top 10K sites from
thousands of vantage points in 177 countries. We then expand our
measurement to a sample of CDN customers in the Alexa Top 1M.

We find that geoblocking occurs across a broad set of countries
and sites. We observe geoblocking in nearly all countries we study,
with Iran, Syria, Sudan, Cuba, and Russia experiencing the highest
rates. These countries experience particularly high rates of
geoblocking for finance and banking sites, likely as a result of
U.S. economic sanctions. We also verify our measurements with data
provided by Cloudflare, and find our observations to be accurate.

Remote censorship measurement tools can now detect
DNS- and IP-based blocking at global scale. However,
a major unmonitored form of interference is blocking
triggered by deep packet inspection of application-layer
data. We close this gap by introducing Quack, a scalable,
remote measurement system that can efficiently detect
application-layer interference.

We show that Quack can effectively detect application-layer
blocking triggered on HTTP and TLS headers, and
it is flexible enough to support many other diverse protocols.
In experiments, we test for blocking across 4458
autonomous systems, an order of magnitude larger than
provided by country probes used by OONI. We also test
a corpus of 100,000 keywords from vantage points in 40
countries to produce detailed national blocklists. Finally,
we analyze the keywords we find blocked to provide insight
into the application-layer blocking ecosystem and
compare countries’ behavior. We find that the most consistently
blocked services are related to circumvention tools,
pornography, and gambling, but that there is significant
country-to-country variation.

Certificate Authorities (CAs) regularly make mechanical errors
when issuing certificates. To quantify these errors, we
introduce ZLint, a certificate linter that codifies the policies
set forth by the CA/Browser Forum Baseline Requirements and RFC
5280 that can be tested in isolation. We run ZLint on
browser-trusted certificates in Censys and systematically
analyze how well CAs construct certificates. We find that the
number errors has drastically reduced since 2012. In 2017, only
0.02% of certificates have errors. However, this is largely due
to a handful of large authorities that consistently issue
correct certificates. There remains a long tail of small
authorities that regularly issue non-conformant certificates. We
further find that issuing certificates with errors is correlated
with other types of mismanagement and for large authorities,
browser action. Drawing on our analysis, we conclude with a
discussion on how the community can best use lint data to
identify authorities with worrisome organizational practices and
ensure long-term health of the Web PKI.

Internet access in Cuba is severely constrained, due to limited
availability, slow speeds, and high cost. Within this isolated
environment, technology enthusiasts have constructed a disconnected
but vibrant IP network that has grown organically to reach tens of
thousands of households across Havana. We present the first detailed
characterization of this deployment, which is known as the SNET, or
Street Network. Working in collaboration with SNET operators, we
describe the network’s infrastructure and map its topology, and we
measure bandwidth, available services, usage patterns, and user
demographics. Qualitatively, we attempt to answer why the SNET
exists and what benefits it has afforded its users. We go on to
discuss technical challenges the network faces, including scalability,
security, and organizational issues. To our knowledge, the SNET is
the largest isolated community-driven network in existence, and its
structure, successes, and obstacles show fascinating contrasts
and similarities to those of the Internet at large.

Elections seem simple—aren’t they just
counting? But they have a unique, challenging combination of
security and privacy requirements. The stakes are high; the
context is adversarial; the electorate needs to be convinced
that the results are correct; and the secrecy of the ballot must
be ensured. And they have practical constraints: time is of the
essence, and voting systems need to be affordable and
maintainable, and usable by voters, election officials, and
pollworkers. It is thus not surprising that voting is a rich
research area spanning theory, applied cryptography, practical
systems analysis, usable security, and statistics. Election
integrity involves two key concepts: convincing evidence that
outcomes are correct and privacy, which amounts
to convincing assurance that there is no evidence about
how any given person voted. These are obviously in tension. We
examine how current systems walk this tightrope.

The Mirai botnet, composed primarily of embedded
and IoT devices, took the Internet by storm in late 2016
when it overwhelmed several high-profile targets with
massive distributed denial-of-service (DDoS) attacks. In
this paper, we provide a seven-month retrospective analysis
of Mirai’s growth to a peak of 600k infections and
a history of its DDoS victims. By combining a variety
of measurement perspectives, we analyze how the botnet
emerged, what classes of devices were affected, and
how Mirai variants evolved and competed for vulnerable
hosts. Our measurements serve as a lens into the fragile
ecosystem of IoT devices. We argue that Mirai may represent
a sea change in the evolutionary development of
botnets—the simplicity through which devices were infected
and its precipitous growth, demonstrate that novice
malicious techniques can compromise enough low-end
devices to threaten even some of the best-defended targets.
To address this risk, we recommend technical and nontechnical
interventions, as well as propose future research
directions.

Proc. 7th USENIX Workshop on Free and Open Communications on the Internet (FOCI ’17), August 2017

We report initial results from the world’s first ISP-scale
field trial of a refraction networking system. Refraction
networking is a next-generation censorship circumvention
approach that locates proxy functionality in the middle
of the network, at participating ISPs or other network
operators. We built a high-performance implementation
of the TapDance refraction networking scheme and deployed
it on four ISP uplinks with an aggregate bandwidth
of 100 Gbps. Over one week of operation, our deployment
served more than 50,000 real users. The experience
demonstrates that TapDance can be practically realized
at ISP scale with good performance and at a reasonable
cost, potentially paving the way for long-term, large-scale
deployments of TapDance or other refraction networking
schemes in the future.

Over the past 20 years, websites have grown increasingly complex
and interconnected. In 2016, only a negligible number of sites
are dependency free, and over 90% of sites rely on external
content. In this paper, we investigate the current state of web
dependencies and explore two security challenges associated with
the increasing reliance on external services: (1) the expanded
attack surface associated with serving unknown, implicitly
trusted third-party content, and (2) how the increased set of
external dependencies impacts HTTPS adoption. We hope that by
shedding light on these issues, we can encourage developers to
consider the security risks associated with serving third-party
content and prompt service providers to more widely deploy
HTTPS.

As HTTPS deployment grows, middlebox and antivirus products
are increasingly intercepting TLS connections to retain
visibility into network traffic. In this work, we present a
comprehensive study on the prevalence and impact of HTTPS
interception. First, we show that web servers can detect
interception by identifying a mismatch between the HTTP
User-Agent header and TLS client behavior. We characterize the
TLS handshakes of major browsers and popular interception
products, which we use to build a set of heuristics to detect
interception and identify the responsible product. We deploy
these heuristics at three large network providers: (1) Mozilla
Firefox update servers, (2) a set of popular e-commerce sites,
and (3) the Cloudflare content distribution network. We find
more than an order of magnitude more interception than
previously estimated and with dramatic impact on connection
security. To understand why security suffers, we investigate
popular middleboxes and client- side security software, finding
that nearly all reduce connection security and many introduce
severe vulnerabilities. Drawing on our measurements, we conclude
with a discussion on recent proposals to safely monitor HTTPS
and recommendations for the security community.

Several recent standards, including NIST SP 800-56A and RFC
5114, advocate the use of “DSA” parameters for
Diffie-Hellman key exchange. While it is possible to use such
parameters securely, additional validation checks are necessary
to prevent well known and potentially devastating attacks. In
this paper, we observe that many Diffie-Hellman implementations
do not properly validate key exchange inputs. Combined with
other protocol properties and implementation choices, this can
radically decrease security. We measure the prevalence of these
parameter choices in the wild for HTTPS, POP3S, SMTP with
STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using
DSA and other non-“safe” primes for Diffie-Hellman
key exchange, many of them in combination with potentially
vulnerable behaviors. We examine over 20 open-source
cryptographic libraries and applications and observe that until
January 2016, not a single one validated subgroup orders by
default. We found feasible full or partial key recovery
vulnerabilities in OpenSSL, the Exim mail server, the Unbound
DNS client, and Amazon’s load balancer, as well as
susceptibility to weaker attacks in many other applications.

Industrial control systems have become ubiquitous, enabling the remote,
electronic control of physical equipment and sensors. Originally designed to
operate on closed networks, the protocols used by these devices have no built-in
security. However, despite this, an alarming number of systems are connected
to the public Internet and an attacker who finds a device often can cause
catastrophic damage to physical infrastructure. We consider two aspects of
ICS security in this work: (1) what devices have been inadvertently exposed
on the public Internet, and (2) who is searching for vulnerable systems.
First, we implement five common SCADA protocols in ZMap and conduct a survey
of the public IPv4 address space finding more than 60K publicly accessible
systems. Second, we use a large network telescope and high-interaction
honeypots to find and profile actors searching for devices. We hope that our
findings can both motivate and inform future work on securing industrial
control systems.

In this paper we explore the notion of a secure kiosk, a trusted
computing platform built using off-the-shelf components. We
demonstrate how kiosks serve as convenient primitives when
designing secure computing protocols, as they allow for a very
prescribed set of assumptions to be made about a system. We
begin by defining the necessary properties of a kiosk, and then
explain how each of these properties can (or cannot) be attained
using current off-the-shelf hardware and software components.
We construct a proof-of-concept implementation using TPM
hardware and Windows 10. We also provide ASKVote, the Attestable
and Secure Voting protocol to demonstrate the flexibility gained
from the use of kiosks in a larger secure system.

TLS has the potential to provide strong protection against network-based
attackers and mass surveillance, but many implementations take security
shortcuts in order to reduce the costs of cryptographic computations and network
round trips. We report the results of a nine-week study that measures the use
and security impact of these shortcuts for HTTPS sites among Alexa Top
Million domains. We find widespread deployment of DHE and ECDHE private value
reuse, TLS session resumption, and TLS session tickets. These practices greatly
reduce the protection afforded by forward secrecy: connections to 38% of Top
Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24
hours later, and 10% up to 30 days later, regardless of the selected cipher suite.
We also investigate the practice of TLS secrets and session state being shared
across domains, finding that in some cases, the theft of a single secret value
can compromise connections to tens of thousands of sites. These results suggest
that site operators need to better understand the tradeoffs between optimizing
TLS performance and providing strong security, particularly when faced with
nation-state attackers with a history of aggressive, large-scale surveillance.

The HTTPS certificate ecosystem has been of great interest to the
measurement and security communities. Without any ground truth,
researchers have attempted to study this PKI from a variety of
fragmented perspectives, including passively monitored networks, scans
of the popular domains or the IPv4 address space, search engines such
as Censys, and Certificate Transparency (CT) logs. In this work, we
comparatively analyze all these perspectives. We find that aggregated
CT logs and Censys snapshots have many properties that complement each
other, and that together they encompass over 99% of all certificates
found by any of these techniques. However, they still miss 1.5% of
certificates observed in a crawl of all domains in .com,
.net, and .org. We go on to illustrate how this
combined perspective affects results from previous studies. In light
of these findings, we have worked with the operators of Censys to
incorporate CT log data into its results going forward, and we
recommend that future HTTPS measurement adopt this new vantage.

The World Wide Web has become the most common platform for building
applications and delivering content. Yet despite years of research,
the web continues to face severe security challenges related to data
integrity and confidentiality. Rather than continuing the
exploit-and-patch cycle, we propose addressing these challenges at an
architectural level, by supplementing the web’s existing
connection-based and server-based security models with a new approach: content-based
security. With this approach, content is directly signed and encrypted
at rest, enabling it to be delivered via any path and then validated
by the browser. We explore how this new architectural approach can
be applied to the web and analyze its security benefits. We then
discuss a broad research agenda to realize this vision and the
challenges that must be overcome.

We present DROWN, a novel cross-protocol attack on
TLS that uses a server supporting SSLv2 as an oracle to decrypt modern
TLS connections.

We introduce two versions of the attack. The more
general form exploits multiple unnoticed protocol flaws in SSLv2 to
develop a new and stronger variant of the Bleichenbacher RSA
padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an
attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2
connections, and perform 250 offline work. The victim client
never initiates SSLv2 connections. We implemented the attack and can
decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a
cost of $440 on Amazon EC2. Using Internet-wide scans, we find that
33% of all HTTPS servers and 22% of those with browser-trusted
certificates are vulnerable to this protocol-level attack due to
widespread key and certificate reuse.

For an even cheaper attack, we apply our new
techniques together with a newly discovered vulnerability in OpenSSL
that was present in releases from 1998 to early 2015. Given an
unpatched SSLv2 server to use as an oracle, we can decrypt a TLS
ciphertext in one minute on a single CPU—fast enough to enable
man-in-the-middle attacks against modern browsers. We find that 26% of
HTTPS servers are vulnerable to this attack.

We further observe that the QUIC protocol is
vulnerable to a variant of our attack that allows an attacker to
impersonate a server indefinitely after performing as few as
217 SSLv2 connections and 258 offline work.

We conclude that SSLv2 is not only weak, but
actively harmful to the TLS ecosystem.

Once pervasive, the File Transfer Protocol (FTP) has been largely
supplanted by HTTP, SCP, and BitTorrent for transferring data between
hosts. Yet, in a comprehensive analysis of the FTP ecosystem as of
2015, we find that there are still more than 13 million FTP servers in
the IPv4 address space, 1.1 million of which allow “anonymous”
(public) access. These anonymous FTP servers leak sensitive
information, such as tax documents and cryptographic secrets. More
than 20,000 FTP servers allow public write access, which has
facilitated malicious actors’ use of free storage as well as malware
deployment and click-fraud attacks. We further investigate real-world
attacks by deploying eight FTP honeypots, shedding light on how
attackers are abusing and exploiting vulnerable servers. We conclude
with lessons and recommendations for securing FTP.

App-based deception attacks are increasingly a problem on
mobile devices and they are used to steal passwords, credit card numbers,
text messages, etc. Current versions of Android are susceptible to
these attacks. Recently, Bianchi et al. proposed a novel solution (“What
the App is That”) that included a host-based system to identify apps to
users via a security indicator and help assure them that their input goes
to the identified apps. Unfortunately, we found that the solution has
a significant side channel vulnerability as well as susceptibility to clickjacking
that allow non-privileged malware to completely compromise the
defenses, and successfully steal passwords or other keyboard input. We
discuss the vulnerabilities found, propose possible defenses, and then
evaluate the defenses against different types of UI deception attacks.

We investigate the security of Diffie-Hellman key exchange as used
in popular Internet protocols and find it to be less secure than
widely believed. First, we present Logjam, a novel flaw in TLS
that lets a man-in-the-middle downgrade connections to
“export-grade” Diffie-Hellman. To carry out this
attack, we implement the number field sieve discrete log
algorithm. After a week-long precomputation for a specified
512-bit group, we can compute arbitrary discrete logs in that
group in about a minute. We find that 82% of vulnerable servers
use a single 512-bit group, allowing us to compromise connections
to 7% of Alexa Top Million HTTPS sites. In response, major
browsers are being changed to reject short groups.

We go on to consider Diffie-Hellman with 768- and 1024-bit
groups. We estimate that even in the 1024-bit case, the
computations are plausible given nation-state resources. A small
number of fixed or standardized groups are used by millions of
servers; performing precomputation for a single 1024-bit group
would allow passive eavesdropping on 18% of popular HTTPS sites,
and a second group would allow decryption of traffic to 66% of
IPsec VPNs and 26% of SSH servers. A close reading of published
NSA leaks shows that the agency’s attacks on VPNs are
consistent with having achieved such a break. We conclude that
moving to stronger key exchange methods should be a priority for
the Internet community.

Fast Internet-wide scanning has opened new avenues for security
research, ranging from uncovering widespread vulnerabilities in
random number generators to tracking the evolving impact of
Heartbleed. However, this technique still requires significant
effort: even simple questions, such as, “What models of
embedded devices prefer CBC ciphers?”, require developing an
application scanner, manually identifying and tagging devices,
negotiating with network administrators, and responding to abuse
complaints. In this paper, we introduce Censys, a public search
engine and data processing facility backed by data collected from
ongoing Internet-wide scans. Designed to help researchers answer
security-related questions, Censys supports full-text searches on
protocol banners and querying a wide range of derived fields
(e.g., 443.https.cipher). It can identify
specific vulnerable devices and networks and generate statistical
reports on broad usage patterns and trends. Censys returns these
results in sub-second time, dramatically reducing the effort of
understanding the hosts that comprise the Internet. We present the
search engine architecture and experimentally evaluate its
performance. We also explore Censys’s applications and show
how questions asked in recent studies become simple to answer.

The SMTP protocol is responsible for carrying some of users’
most intimate communication, but like other Internet protocols,
authentication and confidentiality were added only as an
afterthought. In this work, we present the first report on global
adoption rates of SMTP security extensions, including StartTLS,
SPF, DKIM, and DMARC. We present data from two perspectives: SMTP
server configurations for the Alexa Top Million domains, and over
a year of SMTP connections to and from Gmail. We find that the top
mail providers (e.g., Gmail, Yahoo, Outlook) all proactively
encrypt and authenticate messages. However, these best practices
have yet to reach widespread adoption in a long tail of over
700,000 SMTP servers, of which only 35% successfully configure
encryption and 1.1% specify a DMARC authentication policy. This
security patchwork—paired with SMTP policies that favor
failing open to allow gradual deployment—exposes users to
attackers who downgrade TLS connections in favor of cleartext and
who falsify MX records to reroute messages. We present evidence of
such attacks in the wild, highlighting seven countries where more
than 20% of inbound Gmail messages arrive in cleartext due to
network attackers.

In the world’s largest-ever deployment of online voting, the
iVote Internet voting system was trusted for the return of 280,000
ballots in the 2015 state election in New South Wales, Australia.
During the election, we performed an independent security analysis
of parts of the live iVote system and uncovered severe
vulnerabilities that could be leveraged to manipulate votes,
violate ballot privacy, and subvert the verification mechanism.
These vulnerabilities do not seem to have been detected by the
election authorities before we disclosed them, despite a
pre-election security review and despite the system having run in
a live state election for five days. One vulnerability, the
result of including analytics software from an insecure external
server, exposed some votes to complete compromise of privacy and
integrity. At least one parliamentary seat was decided by a
margin much smaller than the number of votes taken while the
system was vulnerable. We also found protocol flaws, including
vote verification that was itself susceptible to manipulation.
This incident underscores the difficulty of conducting secure
elections online and carries lessons for voters, election
officials, and the e-voting research community.

Embedded devices with web interfaces are prevalent, but, due to
memory and processing constraints, implementations typically make
use of Common Gateway Interface (CGI) binaries written in low-level,
memory-unsafe languages. This creates the possibility of memory
corruption attacks as well as traditional web attacks. We present
Umbra, an application-layer firewall specifically designed for
protecting web interfaces in embedded devices. By acting as a
“friendly man-in-the-middle,” Umbra can protect against
attacks such as cross-site request forgery (CSRF), information
leaks, and authentication bypass vulnerabilities. We evaluate
Umbra’s security by analyzing recent vulnerabilities listed in the
CVE database from several embedded device vendors and find that it
would have prevented half of these vulnerabilities. We
also show that Umbra comfortably runs within the constraints of an
embedded system while incurring minimal performance overhead.

Several attacks against physical pin-tumbler locks require access
to one or more key blanks to perform. These attacks include
bumping, impressioning, rights amplification, and
teleduplication. To mitigate these attacks, many lock systems rely
on restricted keyways and use blanks that are not sold to the
general public, making it harder for attackers to obtain
them. Often the key blank designs themselves are patented, further
discouraging distribution or manufacture by even skilled
machinists. In this paper, we investigate the impact that
emerging rapid-prototyping—or 3D-printing—tools have
on the security of these restricted keyway systems. We find that
commodity 3D printers are able to produce key blanks and pre-cut
keys with enough resolution to work in several commonly used
pin-tumbler locks and that their material is strong enough to
withstand the requirements to perform the aforementioned
attacks. In addition, in order to demonstrate the low skill
requirements necessary to perform these attacks, we develop a tool
that automatically generates a 3D-printable CAD model of a key
blank using only a single picture of a lock’s keyway. This
tool allows us to rapidly manufacture key blanks for restricted
keyways that were previously difficult to make or buy. Finally, we
discuss possible mitigations for these attacks that lock
manufacturers, installers, and users can perform to protect their
assets.

The Heartbleed vulnerability took the Internet by surprise
in April 2014. The vulnerability, one of the most consequential since
the advent of the commercial Internet, allowed attackers to
remotely read protected memory from an estimated 24–55% of popular
HTTPS sites. In this work, we perform a comprehensive,
measurement-based analysis of the vulnerability’s impact, including
(1) tracking the vulnerable population, (2) monitoring
patching behavior over time, (3) assessing the impact on the HTTPS
certificate ecosystem, and (4) exposing real attacks that attempted
to exploit the bug. Furthermore, we conduct a large-scale
vulnerability notification experiment involving 150,000 hosts and
observe a nearly 50% increase in patching by notified hosts.
Drawing upon these analyses, we discuss what went well and what went
poorly, in an effort to understand how the technical community can
respond more effectively to such events in the future.

Estonia was the first country in the world to use Internet voting
nationally, and today more than 30% of its ballots are cast online.
In this paper, we analyze the security of the Estonian I-voting system
based on a combination of in-person election observation, code review,
and adversarial testing. Adopting a threat model that considers the
advanced threats faced by a national election system—including
dishonest insiders and state-sponsored attacks—we find that the
I-voting system has serious architectural limitations and procedural
gaps that potentially jeopardize the integrity of elections. In
experimental attacks on a reproduction of the system, we demonstrate
how such attackers could target the election servers or voters’
clients to alter election results or undermine the legitimacy of the
system. Our findings illustrate the practical obstacles to Internet
voting in the modern world, and they carry lessons for Estonia, for
other countries considering adopting such systems, and for the
security research community.

In a multi-level election, voters are divided into groups, an election
is held within each group, and some deterministic procedure is used to
combine the group results to determine the overall election
result. Examples of multi-level elections include U.S. presidential
elections and some parliamentary elections (such as those with
regional groupings of voters). The results of such an election can
hinge on a few votes in one group, while being insensitive to large
shifts within other groups. These disparities create opportunities to
focus election integrity efforts in the places where they have the
highest leverage. We consider how to improve the efficiency of
post-election audits, such as those that compare paper ballots to
corresponding electronic records, in multi-level elections. We
evaluate our proposed solutions using data from past elections.

Advanced imaging technologies are a new class of people screening
systems used at airports and other sensitive environments to
detect metallic as well as nonmetallic contraband. We present the
first independent security evaluation of such a system, the
Rapiscan Secure 1000 full-body scanner, which was widely deployed
at airport checkpoints in the U.S. from 2009 until 2013. We find
that the system provides weak protection against adaptive
adversaries: It is possible to conceal knives, guns, and
explosives from detection by exploiting properties of the
device’s backscatter X-ray technology. We also investigate
cyberphysical threats and propose novel attacks that use malicious
software and hardware to compromise the the effectiveness, safety,
and privacy of the device. Overall, our findings paint a mixed
picture of the Secure 1000 that carries lessons for the design,
evaluation, and operation of advanced imaging technologies, for
the ongoing public debate concerning their use, and for
cyberphysical security more broadly.

In response to increasingly sophisticated state-sponsored Internet
censorship, recent work has proposed a new approach to censorship
resistance: end-to-middle proxying. This concept, developed in systems
such as Telex, Decoy Routing, and Cirripede, moves anticensorship
technology into the core of the network, at large ISPs outside the
censoring country. In this paper, we focus on two technical obstacles
to the deployment of certain end-to-middle schemes: the need to
selectively block flows and the need to observe both directions of a
connection. We propose a new construction, TapDance, that removes
these requirements. TapDance employs a novel TCP-level technique that
allows the anticensorship station at an ISP to function as a passive
network tap, without an inline blocking component. We also apply a
novel steganographic encoding to embed control messages in TLS
ciphertext, allowing us to operate on HTTPS connections even under
asymmetric routing. We implement and evaluate a TapDance prototype
that demonstrates how the system could function with minimal impact on
an ISP’s network operations.

While it is widely known that port scanning is widespread, neither the
scanning landscape nor the defensive reactions of network operators
have been measured at Internet scale. In this work, we analyze data
from a large network telescope to study scanning activity from the
past year, uncovering large horizontal scan operations and identifying
broad patterns in scanning behavior. We present an analysis of who is
scanning, what services are being targeted, and the impact of new
scanners on the overall landscape. We also analyze the scanning
behavior triggered by recent vulnerabilities in Linksys routers,
OpenSSL, and NTP. We empirically analyze the defensive behaviors that
organizations employ against scanning, shedding light on who detects
scanning behavior, which networks blacklist scanning, and how scan
recipients respond to scans conducted by researchers. We conclude with
recommendations for institutions performing scans and with
implications of recent changes in scanning behavior for researchers
and network operators.

The safety critical nature of traffic infrastructure requires that it
be secure against computer-based attacks, but this is not always the
case. We investigate a networked traffic signal system currently
deployed in the United States and discover a number of security flaws
that exist due to systemic failures by the designers. We leverage
these flaws to create attacks which gain control of the system, and we
successfully demonstrate them on the deployment in coordination with
authorities. Our attacks show that an adversary can control traffic
infrastructure to cause disruption, degrade safety, or gain an unfair
advantage. We make recommendations on how to improve existing systems
and discuss the lessons learned for embedded systems security in
general.

We introduce optimizations to the ZMap network scanner that achieve a 10-fold increase in maximum scan rate. By parallelizing address generation, introducing an improved blacklisting algorithm, and using zero-copy NIC access, we drive ZMap to nearly the maximum throughput of 10 gigabit Ethernet, almost 15 million probes per second. With these changes, ZMap can comprehensively scan for a single TCP port across the entire public IPv4 address space in 4.5 minutes given adequate upstream bandwidth. We consider the implications of such rapid scanning for both defenders and attackers, and we briefly discuss a range of potential applications.

In this paper, we perform a review of elliptic curve cryptography (ECC), as it is used in practice today, in order to reveal unique mistakes and vulnerabilities that arise in implementations of ECC. We study four popular protocols that make use of this type of public-key cryptography: Bitcoin, secure shell (SSH), transport layer security (TLS), and the Austrian e-ID card. We are pleased to observe that about 1 in 10 systems support ECC across the TLS and SSH protocols. However, we find that despite the high stakes of money, access and resources protected by ECC, implementations suffer from vulnerabilities similar to those that plague previous cryptographic systems.

Many companies have recently started to offer wearable computing devices including glasses, bracelets, and watches. While this technology enables exciting new applications, it also poses new security and privacy concerns. In this work, we explore these implications and analyze the impact of one of the first networked wearable devices—smartwatches—on an academic environment. As a proof of concept, we develop an application for the Pebble smartwatch called ConTest that would allow dishonest students to inconspicuously collaborate on multiple-choice exams in real time, using a cloud-based service, a smartphone, and a client application on the watch. We discuss the broader implications of this technology, suggest hardware and software approaches that can be used to prevent such attacks, and pose questions for future research.

We report the results of a large-scale measurement study of the HTTPS certificate ecosystem—the public-key infrastructure that underlies nearly all secure web communications. Using data collected by performing 110 Internet-wide scans over 14 months, we gain detailed and temporally fine-grained visibility into this otherwise opaque area of security-critical infrastructure. We investigate the trust relationships among root authorities, intermediate authorities, and the leaf certificates used by web servers, ultimately identifying and classifying more than 1,800 entities that are able to issue certificates vouching for the identity of any website. We uncover practices that may put the security of the ecosystem at risk, and we identify frequent configuration problems that lead to user-facing errors and potential vulnerabilities. We conclude with lessons and recommendations to ensure the long-term health and security of the certificate ecosystem.

Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow. We introduce ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet. We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive. We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year.

Out-of-band, lights-out management has become a standard feature on many servers, but while this technology can be a boon for system administrators, it also presents a new and interesting vector for attack. This paper examines the security implications of the Intelligent Platform Management Interface (IPMI), which is implemented on server motherboards using an embedded Baseboard Management Controller (BMC). We consider the threats posed by an incorrectly implemented IPMI and present evidence that IPMI vulnerabilities may be widespread. We analyze a major OEM’s IPMI implementation and discover that it is riddled with textbook vulnerabilities, some of which would allow a remote attacker to gain root access to the BMC and potentially take control of the host system. Using data from Internet-wide scans, we find that there are at least 100,000 IPMI-enabled servers (across three large vendors) running on publicly accessible IP addresses, contrary to recommended best practice. Finally, we suggest defensive strategies for servers currently deployed and propose avenues for future work.

Proc. 3rd USENIX Workshop on Free and Open Communications on the Internet (FOCI ’13), Washington, DC, August 2013

The Iranian government operates one of the largest and most sophisticated Internet censorship regimes in the world, but the mechanisms it employs have received little research attention, primarily due to lack of access to network connections within the country and personal risks to Iranian citizens who take part. In this paper, we examine the status of Internet censorship in Iran based on network measurements conducted from a major Iranian ISP during the lead up to the June 2013 presidential election. We measure the scope of the censorship by probing Alexa’s top 500 websites in 18 different categories. We investigate the technical mechanisms used for HTTP Host–based blocking, keyword filtering, DNS hijacking, and protocol-based throttling. Finally, we map the network topology of the censorship infrastructure and find evidence that it relies heavily on centralized equipment, a property that might be fruitfully exploited by next generation approaches to censorship circumvention.

The existing HTTPS public-key infrastructure (PKI) uses a coarse-grained trust model: either a certificate authority (CA) is trusted by browsers to vouch for the identity of any domain or it is not trusted at all. More than a thousand root and intermediate CAs can currently sign certificates for any domain and be trusted by popular browsers. This violates the principle of least privilege and creates an excessively large attack surface, as highlighted by recent CA compromises. In this paper, we present CAge, a mechanism that browser makers can apply to drastically reduce the excessive trust placed in CAs without fundamentally altering the CA ecosystem or breaking existing practice. CAge works by imposing restrictions on the set of top-level domains (TLDs) for which each CA is trusted to sign. Our key observation, based on an Internet-wide survey of TLS certificates, is that CAs commonly sign for only a handful of TLDs; in fact, 90% of CAs have signed certificates for domains in fewer than ten TLDs, and only 35% have ever signed a certificate for a domain in .com. We show that it is possible to algorithmically infer reasonable restrictions on CAs’ trusted scopes based on this behavior, and we present evidence that browser-enforced inferred scopes would be a durable and effective way to reduce the attack surface of the HTTPS PKI. We find that simple inference rules can reduce the attack surface by nearly a factor of ten without hindering 99% of CA signing activity over a six-month period.

RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75% of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70% come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03% of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. In experiments with three software components commonly used by these devices, we are able to reproduce the vulnerabilities and identify specific software behaviors that induce them, including a boot-time entropy hole in the Linux random number generator. Finally, we suggest defenses and draw lessons for developers, users, and the security community.

In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near-complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study—the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment—attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.

In this paper, we present Telex, a new approach to resisting state-level Internet censorship. Rather than attempting to win the cat-and-mouse game of finding open proxies, we leverage censors’ unwillingness to completely block day-to-day Internet access. In effect, Telex converts innocuous, unblocked websites into proxies, without their explicit collaboration. We envision that friendly ISPs would deploy Telex stations on paths between censors’ networks and popular, uncensored Internet destinations. Telex stations would monitor seemingly innocuous flows for a special “tag” and transparently divert them to a forbidden website or service instead. We propose a new cryptographic scheme based on elliptic curves for tagging TLS handshakes such that the tag is visible to a Telex station but not to a censor. In addition, we use our tagging scheme to build a protocol that allows clients to connect to Telex stations while resisting both passive and active attacks. We also present a proof-of-concept implementation that demonstrates the feasibility of our system.

China filters Internet traffic in and out of the country. In order to circumvent the firewall, it is helpful to know where the filtering
occurs. In this work, we explore the AS-level topology of China’s network, and probe the firewall to find the locations of filtering devices. We find that even though most filtering occurs in border ASes, choke points also exist in many provincial networks. The result suggests that two major ISPs in China have different approaches for placing filtering devices.

Many IT departments use remote administration products to
configure, monitor, and maintain the systems they manage. These tools
can be beneficial in the right hands, but they can also be devastating if
attackers exploit them to seize control of machines. As a case study, we
analyze the security of a remote administration product called Absolute
Manage. We find that the system’s communication protocol suffers from
serious design flaws and fails to provide adequate integrity, confidentiality,
or authentication. Attackers can exploit these vulnerabilities to issue
unauthorized commands on client systems and execute arbitrary code
with administrator privileges. These blatant vulnerabilities suggest that
remote administration tools require increased scrutiny from the security
community. We recommend that developers adopt defensive designs that
limit the damage attackers can cause if they gain control.

Elections in India are conducted almost exclusively using electronic
voting machines developed over the past two decades by a pair of
government-owned companies. These devices, known in India as EVMs,
have been praised for their simple design, ease of use, and
reliability, but recently they have also been criticized following
widespread reports of election irregularities. Despite this
criticism, many details of the machines’ design have never been
publicly disclosed, and they have not been subjected to a rigorous,
independent security evaluation. In this paper, we present a security
analysis of a real Indian EVM obtained from an anonymous source. We
describe the machine’s design and operation in detail, and we evaluate
its security in light of relevant election procedures. We conclude
that in spite of the machines’ simplicity and minimal software trusted
computing base, they are vulnerable to serious attacks that can alter
election results and violate the secrecy of the ballot. We
demonstrate two attacks, implemented using custom hardware, which
could be carried out by dishonest election insiders or other criminals
with only brief physical access to the machines. This case study
carries important lessons for Indian elections and for electronic
voting security more generally.

This paper presents two kinds
of attacks based on crawling the DHTs used for distributed BitTorrent
tracking. First, we show how pirates can use crawling to rebuild
BitTorrent search engines just a few hours after they are shut
down (crawling for fun). Second, we show how content owners can
use related techniques to monitor pirates’ behavior in
preparation for legal attacks and negate any perceived anonymity of
the decentralized BitTorrent architecture (crawling for profit).

We validate these attacks and measure their
performance with a crawler we developed for the Vuze DHT. We find
that we can establish a search engine with over one million torrents
in under two hours using a single desktop PC. We also track 7.9 million
IP addresses downloading 1.5 million torrents over 16 days. These
results imply that shifting from centralized BitTorrent tracking to
DHT-based tracking will have mixed results for the file sharing arms
race. While it will likely make illicit torrents harder to quash, it
will not help users hide their activities.

This paper introduces a
captcha based on upright orientation of line drawings rendered from 3D
models. The models are selected from a large database, and images are
rendered from random viewpoints, affording many different drawings
from a single 3D model. The captcha presents the user with a set of
images, and the user must choose an upright orientation for each
image. This task generally requires understanding of the semantic
content of the image, which is believed to be difficult for automatic
algorithms. We describe a process called covert filtering whereby the
image database can be continually refreshed with drawings that are
known to have a high success rate for humans, by inserting randomly
into the captcha new images to be evaluated. Our analysis shows that
covert filtering can ensure that captchas are likely to be solvable by
humans while deterring attackers who wish to learn a portion of the
database. We performed several user studies that evaluate how
effectively people can solve the captcha. Comparing these results to
an attack based on machine learning, we find that humans possess a
substantial performance advantage over computers.

Researchers at the University
of Washington recently proposed Vanish, a system for creating messages
that automatically “self-destruct” after a period of
time. Vanish works by encrypting each message with a random key and
storing shares of the key in a large, public distributed hash table
(DHT). Normally, DHTs expunge data older than a certain age. After
they expire, the key is permanently lost, and the encrypted data is
permanently unreadable. Vanish is an interesting approach to an
important privacy problem, but, in its current form, it is
insecure. In this paper, we defeat the deployed Vanish implementation,
explain how the original paper’s security analysis is flawed, and draw
lessons for future system designs.

We present two Sybil attacks against the current Vanish
implementation, which stores its encryption keys in the million-node
Vuze BitTorrent DHT. These attacks work by continuously crawling the
DHT and saving each stored value before it ages out. They can
efficiently recover keys for more than 99% of Vanish messages. We show
that the dominant cost of these attacks is network data transfer, not
memory usage as the Vanish authors expected, and that the total cost
is two orders of magnitude less than they estimated. While we consider
potential defenses, we conclude that public DHTs like Vuze probably
cannot provide strong security for Vanish.

A secure voting machine
design must withstand new attacks devised throughout its multidecade
service lifetime. In this paper, we give a case study of the longterm
security of a voting machine, the Sequoia AVC Advantage, whose design
dates back to the early 80s. The AVC Advantage was designed with
promising security features: its software is stored entirely in
read-only memory and the hardware refuses to execute instructions
fetched from RAM. Nevertheless, we demonstrate that an attacker can
induce the AVC Advantage to misbehave in arbitrary
ways—including changing the outcome of an election—by
means of a memory cartridge containing a specially-formatted
payload. Our attack makes essential use of a recently-invented
exploitation technique called return-oriented programming, adapted
here to the Z80 processor. In return-oriented programming, short
snippets of benign code already present in the system are combined to
yield malicious behavior. Our results demonstrate the relevance of
recent ideas from systems security to voting machine research, and
vice versa. We had no access either to source code or documentation
beyond that available on Sequoia’s web site. We have created a
complete vote-stealing demonstration exploit and verified that it
works correctly on the actual hardware.

This paper presents a novel technique for authenticating physical
documents based on random, naturally occurring imperfections in
paper texture. We introduce a new method for measuring the
three-dimensional surface of a page using only a commodity scanner
and without modifying the document in any way. From this physical
feature, we generate a concise fingerprint that uniquely
identifies the document. Our technique is secure against
counterfeiting and robust to harsh handling; it can be used even
before any content is printed on a page. It has a wide range of
applications, including detecting forged currency and tickets,
authenticating passports, and halting counterfeit goods. Document
identification could also be applied maliciously to de-anonymize
printed surveys and to compromise the secrecy of paper ballots.

Contrary to popular assumption, DRAMs used in most modern
computers retain their contents for seconds to minutes after power
is lost, even at operating temperatures and even if removed from a
motherboard. Although DRAMs become less reliable when they are not
refreshed, they are not immediately erased, and their contents
persist sufficiently for malicious (or forensic) acquisition of
usable full-system memory images. We show that this phenomenon
limits the ability of an operating system to protect cryptographic
key material from an attacker with physical access. We use cold
reboots to mount attacks on popular disk encryption systems
— BitLocker, FileVault, dm-crypt, and TrueCrypt —
using no special devices or materials. We experimentally
characterize the extent and predictability of memory remanence and
report that remanence times can be increased dramatically with
simple techniques. We offer new algorithms for finding
cryptographic keys in memory images and for correcting errors
caused by bit decay. Though we discuss several strategies for
partially mitigating these risks, we know of no simple remedy that
would eliminate them.

Generation of random numbers is a critical component of existing
post-election auditing techniques. Recent work has largely
discouraged the use of all pseudorandom number generators,
including cryptographically secure pseudorandom number generators
(CSPRNGs), for this purpose, instead recommending the sole use of
observable physical techniques. In particular, simple dice
rolling has received a great deal of positive attention. The
typical justification for this recommendation is that those less
comfortable with mathematics prefer a simple, observable
technique. This paper takes a contrary view. Simple, observable
techniques like dice rolling are not necessarily robust against
sleight of hand and other forms of fraud, and attempts to harden
them against fraud can dramatically increase their complexity.
With simple dice rolling, we know of no techniques that provide
citizens with a reasonable means of verifying that fraud did not
occur during the roll process. CSPRNGs, used properly, can be
simple, robust, and verifiable, and they allow for the use of
auditing techniques that might otherwise be impractical. While we
understand initial skepticism towards this option, we argue that
appropriate use of CSPRNGs would strengthen audit security.

In light of the systemic vulnerabilities uncovered by recent
reviews of deployed e-voting systems, the surest way to secure the
voting process would be to scrap the existing systems and design
new ones. Unfortunately, engineering new systems will take years,
and many jurisdictions are unlikely to be able to afford new
equipment in the near future. In this paper we ask how
jurisdictions can make the best use of the equipment they already
own until they can replace it. Starting from current practice, we
propose defenses that involve new but realistic procedures, modest
changes to existing software, and no changes to existing hardware.
Our techniques achieve greatly improved protection against
outsider attacks: they provide containment of viral spread,
improve the integrity of vote tabulation, and offer some detection
of individual compromised devices. They do not provide security
against insiders with access to election management systems, which
appears to require significantly greater changes to the existing
systems.

Several important security protocols require parties to perform
computations based on random challenges. Traditionally, proving
that the challenges were randomly chosen has required interactive
communication among the parties or the existence of a trusted
server. We offer an alternative solution where challenges are
harvested from oblivious servers on the Internet. This paper
describes a framework for deriving “harvested
challenges” by mixing data from various pre-existing online
sources. While individual sources may become predictable or fall
under adversarial control, we provide a policy language that
allows application developers to specify combinations of sources
that meet their security needs. Participants can then convince
each other that their challenges were formed freshly and in
accordance with the policy. We present Combine, an open source
implementation of our framework, and show how it can be applied to
a variety of applications, including remote storage auditing and
non-interactive client puzzles.

Election audit procedures usually rely on precinct based recounts,
in which workers manually review all paper ballots from selected
polling places, but these recounts can be expensive due to the
labor required. This paper proposes an alternative audit strategy
that allows machines to perform most of the work. Precincts are
recounted using recounting machines, and their output is manually
audited using efficient ballot sampling techniques. This strategy
can achieve equal or greater confidence than precinct-based
auditing at a significantly lower cost while protecting voter
privacy better than previous ballot-based auditing methods. We
show how to determine which ballots to audit against the
recounting machines’ records and compare this new approach
to precinct-based audits in the context of Virginia’s
November 2006 election. Far fewer ballots need to be audited by
hand using our approach. We also explore extensions to these
techniques, such as varying individual ballots’ audit
probabilities based on the votes they contain, that promise
further efficiency gains.

This paper presents a fully independent security study of a
Diebold AccuVote-TS voting machine, including its hardware and
software. We obtained the machine from a private party. Analysis
of the machine, in light of real election procedures, shows that
it is vulnerable to extremely serious attacks. For example, an
attacker who gets physical access to a machine or its removable
memory card for as little as one minute could install malicious
code; malicious code on a machine could steal votes undetectably,
modifying all records, logs, and counters to be consistent with
the fraudulent vote count it creates. An attacker could also
create malicious code that spreads automatically and silently from
machine to machine during normal election activities — a
voting-machine virus. We have constructed working demonstrations
of these attacks in our lab. Mitigating these threats will require
changes to the voting machine’s hardware and software and the
adoption of more rigorous election procedures.

In the fall of 2005, problems discovered in two Sony-BMG compact
disc copy protection systems, XCP and MediaMax, triggered a public
uproar that ultimately led to class-action litigation and the
recall of millions of discs. We present an in-depth analysis of
these technologies, including their design, implementation, and
deployment. The systems are surprisingly complex and suffer from
a diverse array of flaws that weaken their content protection and
expose users to serious security and privacy risks. Their
complexity, and their failure, makes them an interesting case
study of digital rights management that carries valuable lessons
for content companies, DRM vendors, policymakers, end users, and
the security community.

Computer users are asked to generate, keep secret, and recall an
increasing number of passwords for uses including host accounts,
email servers, e-commerce sites, and online financial
services. Unfortunately, the password entropy that users can
comfortably memorize seems insufficient to store unique, secure
passwords for all these accounts, and it is likely to remain
constant as the number of passwords (and the adversary’s
computational power) increases into the future. In this paper, we
propose a technique that uses a strengthened cryptographic hash
function to compute secure passwords for arbitrarily many accounts
while requiring the user to memorize only a single short
password. This mechanism functions entirely on the client; no
server-side changes are needed. Unlike previous approaches, our
design is both highly resistant to brute force attacks and nearly
stateless, allowing users to retrieve their passwords from any
location so long as they can execute our program and remember a
short secret. This combination of security and convenience will,
we believe, entice users to adopt our scheme. We discuss the
construction of our algorithm in detail, compare its strengths and
weaknesses to those of related approaches, and present
Password
Multiplier, an implementation in the form of an extension to
the Mozilla Firefox web browser.

The growing popularity of inexpensive, portable recording devices,
such as cellular phone cameras and compact digital audio
recorders, presents a significant new threat to privacy. We
propose a set of technologies that can be integrated into
recording devices to provide stronger, more accurately targeted
privacy protections than other legal and technical measures now
under consideration. Our design is based on an informed consent
principle, which it supports by the use of novel devices and
protocols that automate negotiations over consent and ensure
appropriate safeguards on recorded data. We define the protocols
needed for this purpose and establish their security. We also
describe a working prototype implementation that safeguards audio
recorded by laptop PCs in a wireless network.

We explore new techniques for the use of cryptographic puzzles as
a countermeasure to Denial-of-Service (DoS) attacks. We propose
simple new techniques that permit the outsourcing of
puzzles--their distribution via a robust external service that we
call a bastion. Many servers can rely on puzzles
distributed by a single bastion. We show how a bastion, somewhat
surprisingly, need not know which servers rely on its
services. Indeed, in one of our constructions, a bastion may
consist merely of a publicly accessible random data source, rather
than a special purpose server. Our outsourcing techniques help
eliminate puzzle distribution as a point of compromise. Our
design has three main advantages over prior approaches. First, it
is more resistant to DoS attacks aimed at the puzzle mechanism
itself, withstanding over 80% more attack traffic than previous
methods in our experiments. Second, our scheme is cheap enough to
apply at the IP level, though it also works at higher levels of
the protocol stack. Third, our method allows clients to solve
puzzles offline, reducing the need for users to wait while their
computers solve puzzles. We present a prototype implementation of
our approach, and we describe experiments that validate our
performance claims.

New acquisition and modeling tools make it easier to create 3D
models, and fordable and powerful graphics hardware makes it
easier to use them. As a result, the number of 3D models available
on the web is increasing rapidly. However, it is still not as easy
to find 3D models as it is to find, for example, text documents
and images. What is needed is a “3D model search
engine,” a specialized search engine that targets 3D
models. We created a prototype 3D model search engine to
investigate the design and implementation issues. Our search
engine can be partitioned into three main components: (1)
acquisition: 3D models have to be collected from the web, (2)
analysis: they have to be analyzed for later matching, and (3)
query processing and matching: an online system has to match user
queries to the collected 3D models. Our site currently indexes
over 36,000 models, of which about 31,000 are freely available. In
addition to a text search interface, it offers several 3D and 2D
shape-based query interfaces. Since it went online one year ago
(in November 2001), it has processed over 148,000 searches from
37,800 hosts in 103 different countries. Currently 20-25% of the
about 1,000 visitors per week are returning users. This paper
reports on our initial experiences designing, building, and
running the 3D model search engine.

As the number of 3D models available on the Web grows, there is an
increasing need for a search engine to help people find them.
Unfortunately, traditional text-based search techniques are not
always effective for 3D data. In this paper, we investigate new
shape-based search methods. The key challenges are to develop
query methods simple enough for novice users and matching
algorithms robust enough to work for arbitrary polygonal
models. We present a web-based search engine system that supports
queries based on 3D sketches, 2D sketches, 3D models, and/or text
keywords. For the shape-based queries, we have developed a new
matching algorithm that uses spherical harmonics to compute
discriminating similarity measures without requiring repair of
model degeneracies or alignment of orientations. It provides
46.245% better performance than related shape matching methods
during precision-recall experiments, and it is fast enough to
return query results from a repository of 20,000 models in under a
second. The net result is a growing interactive index of 3D models
available on the Web (i.e., a Google for 3D models).

Several major record labels are adopting a new family of
copy-prevention techniques intended to limit “casual”
copying by compact disc owners using their personal
computers. These employ deliberate data errors introduced into
discs during manufacturing to cause incompatibility with PCs
without affecting ordinary CD players. We examine three such
recordings: A Tribute to Jim Reeves by Charley Pride, A New Day
Has Come by Celine Dion, and More Music from The Fast and the
Furious by various artists. In tests with different CD-ROM drives,
operating systems, and playback software, we find these discs are
unreadable in several widely-used applications as of July 2002. We
analyze the specific technical differences between the modified
recordings and standard audio CDs, and we consider repairs to
hardware and software that would restore compatibility. We
conclude that these schemes are harmful to legitimate CD owners
and will not reduce illegal copying in the long term, so the music
industry should reconsider their deployment.

Stealthy pixel-perfect attacks on smartphone apps are a class
of phishing attacks that rely on visual deception to trick
users into entering sensitive information into trojan apps.
We introduce an operating system abstraction called Trusted
Visual I/O Paths (TIVOs) that enables a user to securely
verify the app she is interacting with, only assuming that
the operating system provides a trusted computing base. As
proof of concept, we built a TIVO for Android, one that is
activated any time a soft keyboard is used by an application
(e.g., for password entry) so that the user can reliably determine
the app that receives the user’s keyboard input. We
implemented TIVO by modifying Android’s user-interface
stack and evaluated the abstraction using a controlled user
study where users had to decide whether to trust the login
screen of four different applications that were randomly
subjected to two forms of pixel-perfect attacks. The TIVO
mechanism was found to significantly reduce the effectiveness
of pixel-perfect attacks, with acceptable impact on overall
usability and only modest performance overhead.

Of all of the revelations
about the NSA that have come to light in recent months, two stand out
as the most worrisome and surprising to cybersecurity experts. The
first is that the NSA has worked to weaken the international
cryptographic standards that define how computers secure
communications and data. The second is that the NSA has deliberately
introduced backdoors into security-critical software and hardware. If
the NSA has indeed engaged in such activities, it has risked the
computer security of the United States (and the world) as much as any
malicious attacks have to date.

Proc. 2nd Workshop on Ethics in Computer Security Research (WECSR ’11), March 2011

Research about weaknesses in deployed electronic voting
systems raises a variety of pressing ethical concerns. In addition to ethical
issues common to vulnerability research, such as the potential harms
and benefits of vulnerability disclosure, electronic voting researchers face
questions that flow from the unique and important role voting plays in
modern democratic societies. Should researchers worry that their own
work (not unlike the flaws they study) could sway an election outcome?
When elected officials authorize a security review, how should researchers
address the conflicted interests of these incumbent politicians, who may
have powerful incentives to downplay problems, and might in principle be
in a position to exploit knowledge about vulnerabilities when they stand
for re-election? How should researchers address the risk that identifying
specific flaws will lead to a false sense of security, after those particular
problems have been resolved? This paper makes an early effort to address
these and other questions with reference to experience from previous
e-voting security reviews. We hope our provisional analysis will help
practicing researchers anticipate and address ethical issues in future
studies.

Many common software vulnerabilities are avoidable if software makers
apply appropriate care, yet developers’ incentives often lead them to
underinvest in security. Profit-maximizing developers invest to the
extent that strengthening security increases sales or reduces their
liability, yet these incentives are undermined by the software
market’s structure. By understanding and reshaping such incentives, we
can greatly improve security at comparably low cost. The author argues
for requiring increased transparency about security problems and
development practices, which will help software buyers make
better-informed purchases, and for holding developers liable for the
costs of security failures caused by their products.

We have discovered
remotely-exploitable vulnerabilities in Green Dam, the censorship
software reportedly mandated by the Chinese government. Any web site a
Green Dam user visits can take control of the PC. According to press
reports, China will soon require all PCs sold in the country to
include Green Dam. This software monitors web sites visited and other
activity on the computer and blocks adult content as well as
politically sensitive material. We examined the Green Dam software
and found that it contains serious security vulnerabilities due to
programming errors. Once Green Dam is installed, any web site the user
visits can exploit these problems to take control of the
computer. This could allow malicious sites to steal private data, send
spam, or enlist the computer in a botnet. In addition, we found
vulnerabilities in the way Green Dam processes blacklist updates that
could allow the software makers or others to install malicious code
during the update process. We found these problems with less than 12
hours of testing, and we believe they may be only the tip of the
iceberg. Green Dam makes frequent use of unsafe and outdated
programming practices that likely introduce numerous other
vulnerabilities. Correcting these problems will require extensive
changes to the software and careful retesting. In the meantime, we
recommend that users protect themselves by uninstalling Green Dam
immediately.

This report describes the hardware design of the AVC Advantage
direct-recording electronic (DRE) voting machine. We developed
these functional specifications by reverse engineering a
government-surplus system.

MediaMax CD3 is a new copy-prevention technique from SunnComm
Technologies that is designed to prevent unauthorized copying of
audio CDs using personal computers. SunnComm claims its product
facilitates “a verifiable and commendable level of
security,” but in tests on a newly-released album, I find
that the protections may have no effect on a large fraction of
deployed PCs, and that most users who would be affected can bypass
the system entirely by holding the shift key every time they
insert the CD. I explain that MediaMax interferes with audio
copying by installing a device driver the first time software from
the CD is executed, but I show that this provides only minimal
protection because the driver can easily be disabled. I also
examine the digital rights management system used to control
access to a set of encrypted, compressed audio files distributed
on the CD. Although restrictions on these files are more relaxed
than in prior copy protected discs, they still prohibit many uses
permitted by the law. I conclude that MediaMax and similar
copy-prevention systems are irreparably flawed but predict that
record companies will find success with more customer-friendly
alternatives for reducing infringement.